Privacy Statement - Loctax Website
This is the privacy statement of:
Loctax NV, a limited company registered in Belgium under company number 0754.858.750, having its registered address at Gebroeders Vandeveldestraat 68, 9000 Ghent, Belgium.
Also referred to as "we" or "us".
We own and operate the website https://www.loctax.com (the "Site").
This privacy statement covers all personal data of customers, users, job candidates, business partners, suppliers, and prospects we collect and use for our own business purposes (e.g. marketing, sales, recruitment, etc.).
Please refer to the platform-specific privacy statement for a more detailed explanation of how we collect, use, and process personal data in the context of the Platform (the "Platform"). This includes personal data of customers and users as well as personal data they provide or input into the Platform.
Why this privacy statement?
We believe that true transparency is essential when it comes to your personal data. This privacy statement is designed to explain how we handle your personal data in a clear and easy-to-understand way. To help you fully understand the information in this privacy statement, it's important that we first explain some key concepts. Understanding these concepts will provide the context you need to make informed decisions and feel confident in how we manage your personal data.
We are committed to following privacy laws that protect your personal data, particularly the General Data Protection Regulation (GDPR), the ePrivacy Directive, and all applicable Belgian laws that implement and/or specify the EU legislation regarding personal data protection.
Key concepts
Here are some important terms related to data protection that will be used in this privacy statement:
Personal data: this refers to any information that can identify you, either directly (like your name or email address) or indirectly (like an online identifier such as an IP address).
Data processing: this term refers to any action taken with your personal data, such as collecting, storing, using, or sharing it.
Data controller and data processor: the GDPR distinguishes between two roles when it comes to handling personal data:
- A data controller is the entity that decides what personal data is collected and for what purposes it will be used (deciding).
- A data processor handles the personal data on behalf of the data controller and follows their instructions (facilitating).
At Loctax, we act as a data controller for the personal data we collect and use for our own purposes. This means we determine why and how personal data is used, and it is our responsibility to ensure that it is handled lawfully, fairly, and transparently. This privacy statement is directed to all data subjects whose personal data we process in our capacity as a data controller.
In certain situations—such as when customers or users enter data into the Platform when using our services—we may act as a data processor. In this case, we process the data on behalf of the customer and follow their instructions. If you are using the Platform, you should refer to the Platform-specific privacy statement for more information on how personal data is processed in this context.
We make it a priority to provide you with access to this privacy statement before you share your personal data with us. This allows you to understand how your data will be handled and make an informed decision. Please take the time to read this privacy statement carefully and make sure you fully understand it.
For a comprehensive understanding of how we manage your personal data, we encourage you to also read our cookie policy (the "Cookie Policy").
If you have any suggestions for improving our privacy practices, please reach out to us via [email protected].
What personal data do we collect from you and why?
Depending on your relationship with us and how you interact with our Site, we may collect and store specific types of personal data, as outlined in the tables below. This personal data is used for various purposes unique to each type of data subject. Under the data protection legislation, we must always have a lawful basis for using your personal data.
We will only use your personal data for the purpose(s) for which it was originally collected, unless we determine that another purpose is compatible with the original purpose(s). If we need to use your personal data for a new or unrelated purpose, we will inform you and, where applicable, seek your consent before doing so.
In some cases, where permitted or required by law, we may process your personal data without explicit prior notification to you or without your explicit consent. This will always be done in accordance with the data protection laws.
We do not actively collect any 'special category' or 'sensitive' personal data revealing a person's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data and biometric data, health data, sex life or sexual orientation.
Job candidates
This category includes anyone whose personal data is stored in our Applicant Tracking System (ATS) for recruitment purposes, regardless of whether they actively applied for a position.
| Processing activity | Category of personal data | Specific personal data | Lawful basis |
|---|---|---|---|
| Retaining personal data of active job candidates in our ATS to assess their suitability for employment | Personal identification data, contact data and professional data | First name, date of birth, address, telephone number, email address, CV, cover letter, resume photos, references, letters of recommendation (where applicable), nationality, work permit, and any other personal data that you deliberately share with us in the context of your job interviews or assessments | Performance of a contract |
| Retaining personal data of rejected job candidates in our ATS for future job opportunities | Personal identification data, contact data and professional data | First name, date of birth, address, telephone number, email address, CV, cover letter, resume photos, references, letters of recommendation (where applicable), nationality, work permit, and any other personal data that you deliberately share with us in the context of your job interviews or assessments | Consent |
| Retaining personal data of rejected job candidates in our ATS to identify and efficiently handle duplicate job applications | Personal identification data and contact data | First name, date of birth, address, telephone number, email address | Legitimate interest |
| Enrichment of candidate database from public sources (such as LinkedIn, company websites, etc.) | Professional data | First name, date of birth, professional telephone number, professional email address, job title, company name | Legitimate interest |
| Dispute resolution | Identification data, application data, communication data | First name, date of birth, address, telephone number, email address, CV, cover letter, interview notes, correspondence related to the application process | Legitimate interest |
Collecting special categories of personal data from job candidates is rare and not something we actively inquire about. However, candidates may occasionally choose to include racial or ethnic origin when describing diversity-related experience, religious or philosophical beliefs in relation to education or volunteer work, or health information if requesting accommodations. Any such information is processed only if the candidate considers it relevant to share, and always in line with data protection laws.
Customers (account owners)
In this context, 'customer' refers to the legal representative of the customer organization responsible for managing or upholding the SaaS agreement with us. This individual may or may not have a user account on the Platform.
| Processing activity | Category of personal data | Specific personal data | Lawful basis |
|---|---|---|---|
| Account creation and management | Personal identification data, contact details | First name, last name, professional email, phone number | Contract performance |
| Managing legal processes and documentation (e.g. compliance, contract management) | Communication data | Internal/external professional emails, chats | Legitimate interest |
| Sending service communications (e.g. legal updates, onboarding emails) | Communication data | First name, last name, professional email | Contract performance |
| Sending marketing communications (e.g. newsletters, blogs, whitepapers, webinars, podcasts, product updates, etc.) | Communication data | First name, last name, professional email | Legitimate interest |
| Marketing engagement | Identification data, communication data | Name, email address, preferences for receiving marketing communications, engagement metrics (e.g., opens, clicks) | Consent or legitimate Interest |
| Customer testimonials | Identification data, communication data | Name, contact information, content of the testimonial, any applicable consent regarding publication | Consent |
| Customer satisfaction surveys | Communication data, identification data | Survey responses, feedback, first name, last name, professional email | Legitimate interest |
| Dispute resolution | Identification data, transaction data, communication data | Name, contact details, transaction history, payment records, invoices, emails, and communication records related to disputes | Contract performance Legitimate interest |
Users
A 'user' refers to any individual, other than the account owner, who has a user account on the Platform. These users are generally employees or contractors of the customer and interact with the Platform to perform tax-related or compliance tasks on the customer's behalf.
| Processing activity | Category of personal data | Specific personal data | Lawful basis |
|---|---|---|---|
| Account management and authentication | Personal identification data, contact details | Username, professional email, authentication data | Contract performance |
| Tracking user behavior and product usage | Behavioral data, online identifiers | User activity logs, IP address, device ID, session cookies | Legitimate interest |
| Collecting user feedback | Behavioral data, communication data | Feedback data, responses to surveys or feedback forms | Legitimate interest |
| Personalization and user experience | Behavioral data, preferences | User activity, language preferences, UI settings | Legitimate interest |
| Marketing communications | Contact details, preferences | Professional email address, marketing preferences | Consent or legitimate interest |
| Security and fraud prevention | Behavioral data, online identifiers | IP address, login attempts, device data | Legitimate interest |
| Dispute resolution | Identification data, activity data, communication data | Name, email address, usage data, transaction history, support inquiries, chat logs | Contract performance Legitimate interest |
Prospects
A "prospect" refers to an individual at a prospective client organization whose personal data is processed by Loctax for marketing and sales purposes.
| Processing activity | Category of personal data | Specific personal data | Lawful basis |
|---|---|---|---|
| Personalized marketing and sales outreach (e.g. after you book a demo via the Site) | Contact details | Professional email, phone number, name, last name, location, company, job title | Consent or legitimate interest |
| Sending marketing communications (e.g. newsletters, blogs, whitepapers, webinars, podcasts, product updates, etc.) | Contact details | Professional email, job title, first name, last name, company | Consent |
| Hosting and managing events and webinars | Personal identification data, communication data | Name, email, interaction data (e.g., polls, questions, phone number, location, job title, company) | Consent |
| Content creation and distribution (i.e. webinars and podcasts) | Physical characteristics, preferences | Names, voice recordings, images, video recordings | Consent |
| Lead generation and enrichment of prospect database from public sources (e.g. LinkedIn and company websites) | Contact details, professional data, preferences | Name, professional email, phone number, job title, employer information, social media profile data, location, interaction data | Legitimate interest |
Business partners & suppliers
"Business partners & suppliers" refers to individuals employed by or associated with organizations that collaborate commercially with us, including business partners and suppliers, whose personal data is processed in the context of the partnership or supply relationship.
| Processing activity | Category of personal data | Specific personal data | Lawful basis |
|---|---|---|---|
| Managing supplier or partner contacts and contracts | Personal identification data, contact details | First name, last name, professional email, phone number | Contract performance |
| Communication and collaboration for ongoing projects | Communication data | Professional emails, chats, video conference details | Legitimate interest |
| Dispute resolution | Identification data, contractual data, transaction data, communication data | Name, contact details, contractual agreements, invoices, transaction records, correspondence related to business relationships | Contract performance Legitimate interest |
Website visitors
Any of the data subjects mentioned above may visit our Site at any time. Additionally, there may be other individuals visiting the Site who do not belong to these categories, such as general users seeking information about our services.
When you visit our Site, we may collect certain technical information about your device and browser, including your IP address, browser type, and operating system. This information is considered personal data and helps us improve your browsing experience.
If it's your first visit, we will recognize your IP address, but we won't associate it with any personal data unless you choose to provide that through forms or by accepting our tracking cookies. On your subsequent visits, if you have accepted cookies, we can recognize you as a returning visitor, allowing us to tailor your experience based on your previous interactions and preferences.
For more details on our use of cookies, please refer to our Cookie Policy.
How long do we keep your personal data?
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including compliance with legal, regulatory, or contractual obligations. In some cases, this may require retaining personal data even after our relationship with you has ended.
For some categories of data subjects, we distinguish between:
- Existing: Individuals with whom we currently maintain a relationship.
- Former: Individuals with whom the relationship has ended.
We take all reasonable steps to delete personal data once it is no longer needed. Specific retention periods for all categories of data subjects are detailed in the retention tables below.
To understand whom we refer to under each category of data subjects please refer to the definitions provided earlier in this policy.
Customers
We retain personal customer information during the active business relationship and for up to 7 years after, for legal, regulatory, or contractual purposes.
| Status | Type of personal data | Retention period | Lawful basis |
|---|---|---|---|
| Existing (ongoing customer relationship) | Contact details, contractual information | Retained for the duration of the commercial relationship | Contract performance |
| Former (customer relationship has ended) | Contact details, contractual information | Any personal customer information directly related to the customer account on the Platform: deleted within 180 days after the customer contract ends Other personal data (e.g. included in invoices): up to 7 years post termination of the customer relationship | Contract performance (deletion of personal customer information in the Platform) Legitimate interest (dispute resolution) Legal obligation (requirement to retain invoices for 7 years under Belgian tax and accounting laws) |
Following the end of our business relationship, we will no longer use your contact details for marketing purposes if our communications were based on our legitimate interest as a lawful basis. If you previously provided valid consent for marketing communications, we will continue to send you updates and information for which you opted in until you choose to withdraw your consent. You may withdraw your consent at any time.
Users
We retain personal user information for the duration of their access to the platform and, if applicable, for up to 2 years after they stop being a user, e.g. to do usage analytics.
| Status | Type of personal data | Retention period | Lawful basis |
|---|---|---|---|
| Existing (active user account) | Contact details, login credentials, usage data | Retained as long as the customer relationship is active | Contract performance |
| Former (inactive user account) | Contact details, login credentials, usage data | Any personal user information in support tickets, feedback forms, etc.: up to 2 years after they stop being a user | Legitimate interest |
Following the end of your access to the Platform, we will no longer use your contact details for marketing purposes if these communications were based on our legitimate interest as the lawful basis. If you previously provided valid consent for marketing communications, we will continue to send you updates and information for which you opted in until you choose to withdraw your consent. You may withdraw your consent at any time.
Job candidates
We retain job application data during the recruitment process and for up to 1 year for future opportunities, if consent is given.
| Status | Type of personal data | Retention period | Lawful basis |
|---|---|---|---|
| Existing (recruitment process is ongoing) | Application information, CV, motivation letter | Retained for the duration of the application process | Legitimate interest |
| Former (recruitment process has been completed) | Application information, CV, motivation letter | 30 days post-application; up to 1 year with consent for future roles | Legitimate interest Consent (for longer retention) |
Business partners & suppliers
We retain personal data for the duration of the commercial relationship and for up to 7 years post-collaboration for legal, financial, or audit requirements.
| Status | Type of personal data | Retention period | Lawful basis |
|---|---|---|---|
| Existing (active commercial collaboration) | Contact details, contract information | Retained for the duration of the commercial relationship | Contract performance |
| Former (commercial collaboration has ended) | Contact details, contract information | Up to 7 years after the commercial relationship ends | Legitimate interest (regulatory compliance, audit) |
Prospects
We retain prospect data for marketing purposes for up to 2 years after the last active interaction, unless prospects withdraw their consent or object sooner.
| Status | Type of personal data | Retention period | Lawful basis |
|---|---|---|---|
| Both active and inactive leads | Contact details, engagement history | Retained up to 2 years after last active interaction (unless consent is withdrawn sooner) | Consent or legitimate interest |
Do we share your personal data with third parties?
We rely on trusted third-party providers who assist us for a variety of purposes. In doing so, they process personal data on our behalf. These providers are known as "data processors". We have made the necessary contractual arrangements with them to ensure that they handle your personal data securely and process it solely for our purposes, not for their own.
Below is a list of the types of data processors we work with and the purposes they serve:
- Web analytics providers: companies that help analyze user behavior and engagement on our Site.
- Payment processors: providers that securely handle online payments from paying customers, ensuring the safe processing of payment transactions for our services.
- Marketing tools: tools utilized for various marketing activities, including email campaigns and content promotion, as well as data enrichment solutions that help us gather additional information about leads and customers to deliver a more personalized experience.
- Survey and feedback tools: providers of platforms used to collect and analyze survey responses and user feedback.
- Event management platforms: services used to manage registration and attendee interactions for events we organize.
- Communication tools: providers of chat or contact forms that facilitate interactions through our Site or Platform and video communication platforms for webinars, virtual meetings, and online events.
- Applicant tracking systems: platforms used to manage recruitment processes and candidate data from job candidates.
- Customer relationship management (CRM) systems: systems used to manage information about customer entities and their representatives for communication, support, and account management purposes, as well as information about prospects for marketing and sales purposes.
- Social media platforms: services used to promote content and engage with our audience through social media.
If any of your personal data is shared with a third party, as described above, we will take steps to ensure that your personal data is handled safely, securely, and in accordance with your rights, our obligations, and the third party's obligations under the law.
If any personal data is transferred outside of the European Economic Area (EEA), we will take suitable steps in order to ensure that your personal data is treated just as safely and securely as it would be within the EEA and under the GDPR, as explained below in Part 6.
If we sell, transfer, or merge parts of our business or assets, your personal data may be transferred to a third party. Any new owner of our business may continue to use your personal data in the same way(s) that we have used it, as specified in this privacy statement.
In some limited circumstances, we may be legally required to share certain personal data, which might include yours, if we are involved in legal proceedings or complying with legal obligations, a court order, or the instructions of a government authority.
How and where do we store or transfer your personal data?
We will mainly store your personal data within the European Economic Area (the "EEA"). The EEA consists of all EU member states, plus Norway, Iceland, and Liechtenstein. This means that your personal data will be fully protected under the GDPR and/or to equivalent standards by law.
Furthermore, we may store some of your personal data in countries outside of the EEA. These are known as "third countries". We will take additional steps in order to ensure that your personal data is treated just as safely and securely as it would be within the EEA as follows:
- According to the European Commission, the country of destination offers an adequate level of protection (e.g. transfers of personal data to the UK are permitted under the 'Decision on the adequate protection of personal data by the United Kingdom');
- The country of destination does not in itself provide an adequate level of protection, but we have entered into the necessary contractual arrangements with the party in question, taking into account the standard contractual clauses published by the European Commission.
How do we keep your personal data safe?
The security of your personal data is essential to us, and to protect it, we take a number of important measures, including the following:
- Limiting access to your personal data to employees, agents, contractors, and other third parties with a legitimate need to know, ensuring that they are subject to duties of confidentiality.
- Implementing technical safeguards, such as encryption, firewalls, and secure data storage systems, to protect personal data against unauthorized access, loss, or alteration.
- Regularly testing, assessing, and evaluating the effectiveness of our technical and organizational measures to ensure the ongoing security of personal data.
- Maintaining up-to-date systems and software to prevent vulnerabilities and ensure data protection.
- Conducting regular training for our employees and contractors to ensure awareness and compliance with data protection obligations.
- Establishing procedures for data breaches, including the identification, reporting, and management of breaches, and notifying you and/or the relevant Data Protection Authority when legally required.
- Minimizing data collection and retention, ensuring that we only collect and retain personal data necessary for the purposes outlined in this privacy statement.
- Requiring data processors and other third-party providers who process personal data on our behalf to implement appropriate security measures and operate under strict contractual obligations.
What privacy rights do you have?
Under the GDPR, you have the following rights:
- The right to be informed about our collection and use of your personal data. This privacy statement should tell you everything you need to know, but you can always contact us to find out more.
- The right to access the personal data we hold about you. Part 9 will tell you how to do this.
- The right to have your personal data rectified if any of your personal data held by us is inaccurate or incomplete.
- The right to erasure, i.e. the right to ask us to delete or otherwise dispose of any of your personal data that we hold. Do note, however, that this is not an absolute right and that we can deny a request for erasure if retaining the data is necessary for compliance with a legal obligation, the performance of a contract, or for the establishment, exercise, or defense of legal claims.
- The right to restrict (i.e. prevent) the processing of your personal data. You can request that we limit how we use your personal data in certain circumstances (e.g., while accuracy is being verified).
- The right to object to us using your personal data for a particular purpose or purposes, such as marketing.
- The right to withdraw consent. This means that, if we are relying on your consent as the legal basis for using your personal data, you are free to withdraw that consent at any time.
- The right to data portability. This means that, if you have provided personal data to us directly, we are using it with your consent or for the performance of a contract, and that data is processed using automated means, you can ask us for a copy of that personal data to re-use with another service or business.
For more information about our use of your personal data or exercising your rights as outlined above, please contact us using the details provided in Part 10.
It is important that your personal data is kept accurate and up-to-date. If any of the personal data we hold about you changes, please keep us informed as long as we have that data.
How can you access your personal data?
If you want to know what personal data we have about you, you can ask us for details of that personal data and for a copy of it (where any such personal data is held). All subject access requests should be made in writing and sent to the email or postal addresses shown in Part 10.
There is normally no charge for a subject access request. If your request is 'manifestly unfounded or excessive' (for example, if you make repetitive requests) a fee may be charged to cover our administrative costs.
We will respond to your subject access request within one month. Normally, we aim to provide a complete response, including a copy of your personal data within that time. In some cases, however, particularly if your request is more complex, more time may be required up to a maximum of three months from the date we receive your request. You will be kept fully informed of our progress.
Questions?
To contact us about anything regarding your personal data and data protection, including to make a subject access request, please use the following details for the attention of our Data Protection Officer (DPO):
Email address: [email protected]
Postal address: Loctax NV, Gebroeders Vandeveldestraat 68, 9000 Gent (Belgium)
Complaints?
If you have any concerns about how we use your personal data, you have the right to file a complaint with the Data Protection Authority (DPA) in the EU country where you reside, work, or where the issue occurred.
We are regulated by the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit / Autorité de Protection des Données), so it is most logical to contact them for assistance. You can visit their website for more information here.
We would welcome the opportunity to resolve your concerns ourselves, however, so please contact us first by reaching out to [email protected].
Changes to this privacy statement
We may update this privacy statement from time to time to ensure compliance with new legislation or to reflect changes in our business that impact how we handle personal data.
Any updates will be posted on our Site. We encourage you to check this page regularly to stay informed about how we protect your personal data.
This privacy statement was last updated on 17/07/2025.
Links to other websites
Our Site may contain links to other websites. Please note that we have no control over how your data is collected, stored, or used by other websites and we advise you to check the privacy policies of any such websites before providing any data to them.